Cross-Site Scripting Vulnerability in Open WebUI by Open WebUI
CVE-2026-45346

5.1MEDIUM

Key Information:

Vendor: Open-webui
Status: Open-webui
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45346?

Open WebUI, a self-hosted AI platform designed for offline operation, contains a Cross-Site Scripting vulnerability in its SVG renderer prior to version 0.6.31. This flaw can be exploited to execute arbitrary scripts in the context of the user's browser, potentially exposing sensitive data or allowing unauthorized actions. Users are recommended to upgrade to version 0.6.31 or later to mitigate this risk.

Affected Version(s)

open-webui < 0.6.31

References

https://github.com/open-webui/open-webui/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-45346 Data

JSON

Open-webui

What is CVE-2026-45346?

Affected Version(s)

References

CVSS V4

Timeline